kaikramer
commented
1 year ago Thanks for the PR, much appreciated!
Closed stokito closed 1 year ago
kaikramer
commented
1 year ago Thanks for the PR, much appreciated!
kaikramer
commented
1 year ago Interesting that Windows 10 has a registred extension for p12, p7(b,c,s,r), and even the p10 (but not .csr) but the p8 is not.
PKCS#8 is maybe simply too exotic.
stokito
commented
1 year ago We probably should also add *.pem extension.
When exporting an RSA key to OpenSSL format then the KSE sets .key file extension but internally this is the same pem as p8. The .key file extension in Linux is shown as PGP key.
Similarly for export of a public key we should support the *.pem since it often used on OpenSSL documentation.
As far I understood there is no specified extension for a public key (without certificate).
By default the KSE sets extension to .pub which is not good because on Linux it shows as a OpenOffice presentation file.
In the SO question was said "that the PUBLIC KEY is also included in the .p8 file". As far I understood the PKCS#8 was about updating the format of PKCS#1 and add support of EC keys. So technically speaking the public key also can be in the PKCS#8 format. But this adds more confusion.
Sorry for annoying, I just trying to understand which extensions must be used and how they are supported by OSes and programs. Today we have a mess which is dangerous
kaikramer
commented
1 year ago We probably should also add *.pem extension. When exporting an RSA key to OpenSSL format then the KSE sets .key file extension but internally this is the same pem as p8. The .key file extension in Linux is shown as PGP key.
Okay, I'm fine with not using ".key" anymore. The "OpenSSL" format is actually PKCS#1. An alternative would be to use something like ".pkcs1" or ".p1". And we could combine ".pem" with the format, like ".pem.pkcs1" or ".pkcs1.pem" for PEM encoded PKCS#1 keys. And ".pem.p8" or something like that for PKCS#8 files.
Similarly for export of a public key we should support the *.pem since it often used on OpenSSL documentation. As far I understood there is no specified extension for a public key (without certificate). By default the KSE sets extension to .pub which is not good because on Linux it shows as a OpenOffice presentation file.
Okay, no ".pub" either then. The format for public keys is called "SubjectPublicKeyInfo". What do you think of ".spki" as the new extension for public keys? Maybe combined with ".pem" similar to the suggestion for private keys.
In the SO question was said "that the PUBLIC KEY is also included in the .p8 file". As far I understood the PKCS#8 was about updating the format of PKCS#1 and add support of EC keys. So technically speaking the public key also can be in the PKCS#8 format. But this adds more confusion.
Yes, PKCS#8 can also include the public key. But you are overthinking it here. Adding the public key is optional and just a convenience. PKCS#8 is a format for private keys.
Sorry for annoying, I just trying to understand which extensions must be used and how they are supported by OSes and programs. Today we have a mess which is dangerous
I am always happy when someone helps with KSE. But relax a bit, this is really not a big thing. Crypto formats are simply not used that much and software that generates or processes these formats usually does not rely on file extensions. All those formats can be detected from the content. With this in mind it makes sense that there are no standards for file extensions for these formats.
stokito
commented
1 year ago The "OpenSSL" format is actually PKCS#1.
Yes, let's rename it on the select list before export. The OpenSSL v3 now exports to the PKCS#8 format by default. If you want to export to the old PKCS#1 then you need to add -traditional option.
The .pkcs1.pem seems better as an extension because the pem extension is already known in Linux. But just the .pem should be also fine. But for the PKCS#8 we do have a dedicated extension so we can use it.
Okay, no ".pub" either then.
What about just .pem or .public.pem? There is no any registered file type for a public but they aren't used anyway. Just a public key is not useful and everybody use the .cer.
The default extension for the private key is .p8 or .p8e for encrypted private key.
It may make a sense to change the default extension from the
pkcs8to justp8. Similarly to p12, p7(b,c,s,r), p10 (csr).Interesting that Windows 10 has a registred extension for p12, p7(b,c,s,r), and even the p10 (but not
.csr) but the p8 is not.For Linux there is a database of MIME types and extensions called shared-mime-info and they use the p8. https://gitlab.freedesktop.org/xdg/shared-mime-info/-/blob/master/data/freedesktop.org.xml.in?ref_type=heads#L330
But the
*.pkcs8is also recognized as an alias to*.p8. It looks like anyway this file extension is not used so often and I found only one mention: https://stackoverflow.com/questions/49326118/what-is-the-file-with-p8-extension-apns-auth-key-jwt